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Abstract 


The objective of this research is to understand the cloud components, security issues, 
and dangers, along with emerging solutions that may potentially mitigate the 
vulnerabilities in the cloud. It is a commonly accepted fact that, cloud is a viable 
hosting platform; however, the perception with respect to security in the cloud is that 
it needs significant improvements to realize higher rates of adaption in the enterprise 
scale. As identified by another research, many of the issues confronting the cloud 


computing need to be resolved urgently. 
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1. Introduction 


With so much of our workload moving to cloud, security in cloud computing 
is under increased scrutiny. This assessment is also supported by the 2017 report by 
Forbes, which says that in 15 months, while 80% of all IT budgets will be 
committed to cloud solution, 49% of the businesses are delaying cloud deployment 
due to security skills gap and concerns. The problem appears to be multi- 
dimensional, with lack of skilled resources, lack of maturity, conflicting best 


practices, and complex commercial structures to name a few. 


Cloud Storage as a service is a growing trend with features like elasticity, 
pay-as-you-go, business 12 continuity with long-term retention and risk mitigation 


through disaster recovery. All these features 13 are not available with on-premises 
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storage. Popular cloud-based storage services available today are Dropbox, One 
Drive, Amazon S3, Google Drive, Box, and Sugar Sync etc. Nowadays, to improve 
business strategies organizations use analysis techniques over their historical data. 
Some business sectors for instance telecom and e-health have compliance 
requirements, which bind them to keep historical data over a specified period. Not 
every organization is equipped to manage large secondary storage or build their 
private data centers (because of the cost associated with building and maintaining 
such infrastructure). Cloud Storage can be of great service to such organizations 
because of its flexible model [1-11]. However, the loss of control is an inherent issue 


with outsourced data storage model. 


Although the cloud service provider (CSP) is bounded by a service level 
agreement (SLA) to ensure data security, users cannot solely rely on such 
agreements. Furthermore, reliance on a contractual obligation may fail to detect the 
malicious behavior of the service provider. Cloud computing operational details are 
not transparent to the customers and the CSP may be untrusted [12-23]. So besides 
the convenience provided by cloud model, data security issues such as 
confidentiality, privacy, and data integrity are also associated with cloud storage 
service model. Data can be manipulated or lost due to accidental or intentional 
malicious activity, which can be a nightmare for the user and an embarrassment for 
cloud service provider. Cloud has a provision of “multi-tenancy” i.e. cloud resources 
will be shared and utilized by multiple users; therefore, adversaries can take 


advantage of vulnerabilities in the cloud. 


Adaption of cloud has reached a tipping point and it is expected that more 
workloads will move from traditional local storage to cloud from not just average 
Internet users, but also from most if not all commercial entities. While there are 
many problems that need identifying, analyzing, and addressing, this document 
attempts to survey the security in cloud computing and reports on various aspects of 


security vulnerabilities and solutions [24-39]. Some questions that need urgent 
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answers are: (a) Privileged User Access Management, (b) Regulatory Compliance, 
(c) Data Location, (d) Data Segregation, (e) Data Protection and Recovery Support, 
(f) Investigative Support, and (g) Long-term Viability. 


It is highly recommended that these questions, along with other risks, are assessed 
and addressed. Some of the assessments could be as follows: 
1. Organization capability and maturity 
2. Technology & data risks 
3. Application migration and performance risk 
4. People risks 
5. Process risks 

This article consolidates various works that address the risks, vulnerabilities, 
and potential controls in cloud computing. It also provides information on leading 
cloud architectures and frameworks. Moreover, the article identifies potential future 
research areas related to security in cloud computing. Before we dive into the 
security issues [40-50], it is important to understand the cloud definition and 
architecture. Cloud computing is a set of resources that can scale up and down on- 
demand. It is available over the Internet in a self-service model with little to no 


interaction required with the service provider. Cloud enables new ways of offering 


products and services with innovative, technical, and pricing opportunities. 


SaaS — Cloud software as a service 


— PaaS — Cloud platform as a service 


laaS = Cloud infrastructure as a service 
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Figure 1. Cloud Computing Architecture (Source: Internet) 
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As per NIST’s Cloud Computing Reference Architecture, there are five major 
factors that influence and are impacted by cloud computing, along with its security 
implications. This document focuses on cloud consumer and cloud provider’s threat 
and risk perceptions. It is important to note that the this represents an end-to- end 
reference architecture that addresses all the seven layers of the Open Systems 
Interconnection (OSI) model, and extends to include the business, commercial, and 
governance aspects. As it is evident, cloud computing is a comprehensive and 


complex solution with many areas of vulnerabilities. 
2. Deployment and Delivery Models 


The two most important aspects that determine the level of vulnerability in a cloud- 
computing platform is the choice of deployment and delivery model. There are three 
deployment and three delivery models that are considered as industry standards. 
Each of these three deployment and delivery models have unique security 
implications. The following sub-sections briefly discuss each of these models and 


their security implications: 


The three most common types of cloud deployment models are Private 
Cloud, Public Cloud, and Hybrid Cloud. The three cloud delivery models proposed 
by NIST and adapted by the industry are Infrastructure as a Service (IaaS), Platform 


as a Service (PaaS), and Software as a Service (SaaS). 


Cloud computing, like other areas of IT, suffers from a number of security 
issues, which need to be addressed. These risks pertain to policy and organization 


risks, technical risks, and legal and other risks. 


Cloud is a set of technology, process, people, and commercial construct. Like 
all other technology, process, people, and commercial construct, cloud too has 
vulnerabilities. The following are some of the vulnerabilities in a cloud. Some of the 


open issues and threats that needs urgent attention are as follows: 
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Shared Technology vulnerabilities — increased leverage of resources gives 
the attackers a single point of attack, which can cause damage disproportional to its 
importance. An example of share technology is a hypervisor or cloud orchestration. 
Data Breach — with data protection moving from cloud consumer to cloud service 
provider, the risk of accidental, malicious, and intentional data breach is high. 
Account of Service traffic hijacking — one of the biggest advantages of cloud is 
access through Internet, but the same is a risk of account compromise. Loosing 
access to privileged account might mean loss of service. Denial of Service (DoS) — 


any denial of service attack on the cloud provider can affect all tenets. 


Malicious Insider — a determined insider can find more ways to attack and cover 
the track in a cloud scenario. Internet Protocol — many vulnerabilities inherent in IP 
such as IP spoofing, ARP spoofing, DNS Poisoning are real threats. Injection 
Vulnerabilities — vulnerabilities such as SQL injection flaw, OS injection, and 
LDAP injection at the management layer can cause major issues across multiple 
cloud consumers. API & Browser Vulnerabilities — Any vulnerability in cloud 
provider’s API or Interface poses a significant risk, when coupled with social 


engineering or browser based attacks; the damage can be significant. 


Changes to Business Model — cloud computing can be a significant change to a 
cloud consumer’s business model. IT department, and business needs to adapt or 
face exposure to risk. Abusive use — certain features of cloud computing can be used 
for malicious attack purposes such as the use of trail period of use to launch zombie 
or DDoS attacks. Malicious Insider — a malicious insider is always a major risk, 
however, a malicious insider at the cloud provider can cause significant damage to 
multiple consumers. Availability the probability that a system will work as required 


and when required. 


According to a recent research, the three major vectors of attack are network, 
hypervisor, and hardware. These vectors are mapped to attacks such as external, 


internal, and cloud provider or insider attack respectively. 
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The vulnerabilities and threats in the cloud are well documented. Each cloud 
service provider and cloud consumer has to devise countermeasures and controls to 
mitigate the risks based on their assessment. However, the following are some of the 
best practices in countermeasures and controls that can be considered: End-to-end 
encryption — the data in a cloud delivery model might traverse through many 
geographical locations; it is imperative to encrypt the data end-to-end. Scanning for 
malicious activities — end-to-end encryption while highly recommended, induces 
new risks, as encrypted data cannot be read by the Firewall or IDS. Therefore, it is 
important to have appropriate controls and countermeasures to mitigate risks from 


malicious software passing through encryption. 


Validation of cloud consumer — the cloud provider has to take adequate 
precautions to screen the cloud consumer to prevent important features of cloud 
being used for malicious attack purposes. Secure Interfaces and APIs — the interfaces 
and APIs are important to implement automation, orchestration, and management. 
The cloud provider has to ensure that any vulnerability is mitigated. Insider attacks — 
cloud providers should take precaution to screening employee and contractors, along 
with strengthening internal security systems to prevent any insider attacks. Secure 
leveraged resources — in a shared/multi-tenancy model, the cloud provider has 
secure shared resources such as hypervisor, orchestration, and monitoring tools. 
Business Continuity plans — Business continuity plan is a process of documenting 
the response of the organization to any incidents that cause unavailability of whole 


or part of a business-critical process. 
3. Conclusions 


The vulnerabilities and threats in the cloud are well documented. Each cloud 
service provider and cloud consumer has to devise countermeasures and controls to 
mitigate the risks based on their assessment. It is important to take this research 
forward to provide such best practices to more applications and use cases. It is also 


essential to conduct further research in systems development life cycle (SDLC) for 
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cloud consumers to incorporate various development and _ technological 
advancement models and container systems such as Docker to improve security at a 
fundamental level. Additionally, there is very limited research on training and 
people impact on security. Work can be done to understand the challenges, 
requirements, and impact of effective security training for consumers and other 


providers. 
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